# 1Password

> Inject 1Password secrets into an AI agent's tool calls without exposing them in chat.

[Canonical HTML page](https://top-mcps.com/mcp/1password) · [server.json](https://top-mcps.com/mcp/1password.json) · [methodology](https://top-mcps.com/about/methodology)

## Install

### Claude Desktop — `claude_desktop_config.json`

Paste under mcpServers. Fully quit and reopen Claude after editing.

```json
{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### Claude Code — `CLI or .mcp.json`

Run from your repo. Commit .mcp.json to share with your team.

```shell
# export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJ...
claude mcp add 1password -- npx -y @takescake/1password-mcp
```

### Cursor — `.cursor/mcp.json`

Global path: ~/.cursor/mcp.json. Reload window after editing.

```json
{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### VS Code — `.vscode/mcp.json`

VS Code uses the "servers" key (not "mcpServers").

```jsonc
{
  "servers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### Windsurf — `~/.codeium/windsurf/mcp_config.json`

Open via Cascade → hammer icon → Configure.

```json
{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### Cline — `cline_mcp_settings.json`

Open via the Cline sidebar → MCP Servers → Edit.

```json
{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### Continue — `~/.continue/config.json`

Continue uses modelContextProtocolServers with a transport block.

```json
{
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "npx",
          "args": [
            "-y",
            "@takescake/1password-mcp"
          ],
          "env": {
            "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
          }
        }
      }
    ]
  }
}
```

### Codex CLI — `~/.codex/config.toml`

Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

```shell
# ~/.codex/config.toml
[mcp_servers.1password]
command = "npx"
args = [
  "-y",
  "@takescake/1password-mcp",
]
env = { OP_SERVICE_ACCOUNT_TOKEN = "${OP_SERVICE_ACCOUNT_TOKEN}" }
```

### Zed — `~/.config/zed/settings.json`

Zed calls them "context_servers". Settings live-reload on save.

```jsonc
{
  "context_servers": {
    "1password": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@takescake/1password-mcp"
        ]
      },
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}
```

### ChatGPT — `ChatGPT → Apps directory`

1Password doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build.

```none

```

## At a glance

- **Maintainer:** Community (takescake)
- **Transport:** stdio
- **Auth model:** API key
- **Required secrets:** OP_SERVICE_ACCOUNT_TOKEN
- **Supported clients:** Claude, Cursor, VS Code, Windsurf, Any MCP-compatible client, 1Password Business or Teams
- **License:** MIT
- **Language:** TypeScript
- **Latest version:** latest
- **Last verified:** 2026-05-31
- **Score:** 64/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology)
- **Source:** https://github.com/takescake/1password-mcp

## Tools & permissions

| Tool | Description | Args | Side effects |
|------|-------------|------|--------------|
| `resolve_reference` | Resolve an op:// reference and return the cleartext to the calling tool only (never to the model). | `reference: string` | read |
| `list_items` | List items in a vault (metadata only — no secret values). | `vault: string` | read |

## Security & scope

- **Access scope:** read-only
- **Sandbox:** 1Password service-account token. Scoped to specific vaults at the 1Password side. The MCP itself never persists cleartext — every resolution happens inline at tool-call time.
- **Gotchas:**
  - The service-account token IS a secret. Store it in the OS credential store, not in a config file.
  - Resolve-only — there is no write tool to create or update items. Use the 1Password app or CLI for that.
  - Audit logs are at the 1Password side. Pair the MCP with a periodic review of service-account access events.

## Quick answer

**What it does.** Resolves 1Password secret references at MCP tool-call time so cleartext credentials never enter the conversation context.

**Best for:**
- Reference-only secret injection
- Multi-credential workflows
- Team-shared vaults for AI tools
- Audit trails on agent secret use
- Rotating secrets without touching client config

**Not for:**
- Workflows with one local API key in env
- Cases where the downstream tool cannot accept a runtime-resolved secret

## Description

The official 1Password MCP lets an AI agent reference secrets stored in 1Password vaults — API keys, database passwords, SSH keys — without the secret values ever appearing in the conversation. Uses 1Password CLI-style secret references; the agent sees op://Vault/Item/field, the MCP resolves it at call time, and the cleartext goes directly to the downstream tool.

## Why it matters

Agents need credentials to do useful work. Pasting them into chat is a leak waiting to happen. Reference-only resolution is the only safe pattern for agent-driven secret use.

## Key features

- op:// secret references
- Service-account auth
- Per-vault scoping
- 1Password Connect support for self-hosted
- Resolve secrets without persisting to chat history

## FAQ

### Do secrets appear in chat?

No. The model sees op://Vault/Item/field — the MCP resolves it at call time and substitutes the cleartext only inside the outbound tool invocation. The conversation history stays clean.

### Service account vs personal token?

Service accounts. The MCP is meant to be a non-human identity with scoped vault access. Personal tokens are explicitly discouraged for this use case.

### Can I scope to one vault?

Yes — the service account itself is scoped. Create one service account per use case, grant it access to only the vaults it needs, and rotate on the same cadence as any other credential.

### Does it work with 1Password Connect (self-hosted)?

Yes. Set OP_CONNECT_HOST + OP_CONNECT_TOKEN instead of the service-account token to route through a self-hosted Connect server.

## Changelog

- **2026-05-31** — Refreshed install snippets and fact sheet; verified for 2026.
- **2025-04-08** — Initial directory listing.